[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request

Timothy Driscoll (JIRA) Mon, 16 Feb 2015 08:47:30 -0800

    [ 
https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14322977#comment-14322977
 ]


Timothy Driscoll commented on HIVE-8954:
----------------------------------------

We've run into the same issue as well.  Stack trace (below) is against the Hive 
1.0.0 release.  

Looks like it was introduced here:
https://github.com/apache/hive/commit/d466a4a266cad48a875cb78fc706c03878bfbfa3#diff-96eaae2c03bb93befeba9bf598597704L181

Apparently the assumption of when partitions may be null was incorrect.  From 
the stack trace, the Driver is explicitly passing in null on this SELECT query:
https://github.com/apache/hive/blob/release-1.0.0/ql/src/java/org/apache/hadoop/hive/ql/Driver.java#L638

I don't know the ramifications, but I just reverted the diff to perform the 
original check on the table and fixes this particular issue at least.

{code}
hive> select * from hive_table limit 5;
FAILED: HiveException java.security.AccessControlException: action WRITE not 
permitted on path hdfs://cluster/hive_table for user <user>
15/02/16 09:37:06 ERROR ql.Driver: FAILED: HiveException 
java.security.AccessControlException: action WRITE not permitted on path 
hdfs://cluster/hive_table for user <user>
org.apache.hadoop.hive.ql.metadata.HiveException: 
java.security.AccessControlException: action WRITE not permitted on path 
hdfs://cluster/hive_table for user <user>
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:393)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:357)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:331)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:180)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:231)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:253)
        at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:638)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:455)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:303)
        at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1067)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1129)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1004)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:994)
        at 
org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:201)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:153)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:364)
        at 
org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:712)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:631)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:570)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.security.AccessControlException: action WRITE not permitted on 
path hdfs://cluster/hive_table for user <user>
        at 
org.apache.hadoop.fs.DefaultFileAccess.checkFileAccess(DefaultFileAccess.java:88)
        at 
org.apache.hadoop.fs.DefaultFileAccess.checkFileAccess(DefaultFileAccess.java:55)
        at 
org.apache.hadoop.hive.shims.Hadoop23Shims.checkFileAccess(Hadoop23Shims.java:790)
        at 
org.apache.hadoop.hive.common.FileUtils.checkFileAccessWithImpersonation(FileUtils.java:381)
        at 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:384)
        ... 23 more
{code}

> StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT 
> SQL request
> --------------------------------------------------------------------------------------
>
>                 Key: HIVE-8954
>                 URL: https://issues.apache.org/jira/browse/HIVE-8954
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.14.0
>         Environment: centos 6.5 
>            Reporter: LINTE
>
> With hive.security.metastore.authorization.manager set to 
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
> It seem that on a read request, write permissions are check on the HDFS by 
> the metastore.
> sample :
> bash# hive 
> hive (default)> use database;
> OK
> Time taken: 0.747 seconds
> hive (database)> SELECT * FROM  table LIMIT 10;
> FAILED: HiveException java.security.AccessControlException: action WRITE not 
> permitted on path hdfs://cluster/hive_warehouse/database.db/table for user 
> myuser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request

Reply via email to